Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!

Notices

Welcome to LinuxQuestions.org, a friendly and active Linux Community.

You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!

Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.

If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.

Having a problem logging in? Please visit this page to clear all LQ-related cookies.

Introduction to Linux - A Hands on Guide

This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.

INPUT (DefaultROP)
ACCEPT if state of connection is ESTABLISHED, RELATED
ACCEPT if input interface is lo
ACCEPT if protocol if ICMP
ACCEPT if source is 127.0.0.1 and destination is 127.0.0.1
ACCEPT if protocol is TCP and destination port is 80
ACCEPT if protocol is TCP and destination port is 22
ACCEPT if protocol is TCP and destination port is 53
ACCEPT if protocol is UDP and destination port is 22
ACCEPT if protocol is TCP and destination port is 20:21
ACCEPT if protocol is TCP and destination port is 443
ACCEPT if protocol is TCP and input interface is ETH1 and destination port is 10000

FORWARD (DefaultROP)
ACCEPT if state of connection is ESTABLISHED, RELATED
ACCEPT if input interface is ETH0 and output interface is ETH1
ACCEPT if input interface is ETH1 and output interface is ETH0

OUTPUT (DefaultROP)
ACCEPT if state of connection is ESTABLISHED, RELATED
ACCEPT if output interface is lo
ACCEPT if protocol if ICMP
ACCEPT if source is 127.0.0.1 and destination is 127.0.0.1
ACCEPT if protocol is TCP and source port is 80
ACCEPT if protocol is TCP and source port is 22
ACCEPT if protocol is TCP and source port is 53
ACCEPT if protocol is UDP and source port is 22
ACCEPT if protocol is TCP and source port is 20:21
ACCEPT if protocol is TCP and source port is 443
ACCEPT if protocol is TCP and input interface is ETH1 and source port is 10000

Is this box being directly used or is it a gateway box? If its direct then you need to kind of swap your input/output rules (unless you are running services on that box then you'll need to just add to the rules). If its a gateway box the you might want to MASQUERADE instead of SNAT, they are essentially the same, but I think MASQ'ing covers more protocols (I could easily be wrong on this).

Last edited by estabroo; 11-21-2008 at 10:48 AM.
Reason: re-write after re-reading question

I can't really see the problem in the rules, so this might sound a bit crazy, but can you get so far as to ping the Gateway? Can you ping Google.com, can you ping 209.85.171.99? Basic checks I know but might help in finding the problem. Also (this won't be the problem), but shouldn't port 22 be TCP not UDP?

Is this box being directly used or is it a gateway box? If its direct then you need to kind of swap your input/output rules (unless you are running services on that box then you'll need to just add to the rules). If its a gateway box the you might want to MASQUERADE instead of SNAT, they are essentially the same, but I think MASQ'ing covers more protocols (I could easily be wrong on this).

This box is the gateway box. Here's the set up of the network

INTERNET >> ROUTER >> FIREWALL MACHINE >> SWITCH >> LAN

I also tried the MASQUERADE rule but it results to nothing.

Quote:

I can't really see the problem in the rules, so this might sound a bit crazy, but can you get so far as to ping the Gateway? Can you ping Google.com, can you ping 209.85.171.99? Basic checks I know but might help in finding the problem. Also (this won't be the problem), but shouldn't port 22 be TCP not UDP?

If i ping using the firewall machine...it can and it also ping other sites but when i use any of the computers conencted to the LAN it cannot ping or browse any sites.

Quote:

ACCEPT if protocol is TCP and destination port is 22
ACCEPT if protocol is TCP and destination port is 53
ACCEPT if protocol is UDP and destination port is 22

sorry, this is a typo error

this should be port 53 not 22

I also tried to flush the iptable rules and accept everything but still the computer connected to the LAN can't access the net.

what could be the problem? correct me if i'm wrong...i thought this has nothing to do with the iptables. but i wonder wht couold be the problem. I'm new with linux and i'm really having a hard time figuring out the problem.

I wonder if the problem stems for your mixture of IP addresses used for gateway, eth0 and eth1. My routers so far always had the same IP for the gateway and one of the ethernet cards. On the other hand, maybe I was just lucky that it worked at all.

I also tried to flush the iptable rules and accept everything but still the computer connected to the LAN can't access the net.

you didn't have to go that far, you could have just done "/etc/init.d/iptables stop" to test if the problem was your firewall. However if you turn your firewall off and it still does not connect outwardly then the problem is not the firewall at all but your network settings. As said above do you have ipforwarding on?

Also on the machines within your network, have you ensured that they are using 192.168.1.99 as their gateway address since I assume that this machine you are dealing with is acting as a firewall and thus they must all pass through this connection?

Did you turn on forwarding?
check with cat /proc/sys/net/ipv4/ip_forward
set with echo 1 > /proc/sys/net/ipv4/ip_forward
and you can set it permanently in /etc/sysctl.conf (on most linux distros)

Yes, I did turn on the forwarding

Quote:

Can you a sample network setting from one of the LAN client PC'?

I wonder if the problem stems for your mixture of IP addresses used for gateway, eth0 and eth1. My routers so far always had the same IP for the gateway and one of the ethernet cards. On the other hand, maybe I was just lucky that it worked at all.

This is the network config of one of the computers in lan:

ipadd: 192.168.1.107
netmask: 255.255.255.0
gateway: 192.168.1.1

Quote:

As said above do you have ipforwarding on?

Also on the machines within your network, have you ensured that they are using 192.168.1.99 as their gateway address since I assume that this machine you are dealing with is acting as a firewall and thus they must all pass through this connection?

Yes, I turned on the forwarding
Re gateway the network config of one of the computers in the is:

Also on the machines within your network, have you ensured that they are using 192.168.1.99 as their gateway address since I assume that this machine you are dealing with is acting as a firewall and thus they must all pass through this connection?

I changed the gateway of the computers connected on the LAN, and then when I try browsing..it works.....

Thanks a lot guys!

I will now configure the squid proxy...I hope I can.

I'll keep posting what's the result re may configuration and will ask for your help/suggestions

Thats not the default port for the squid. You set squid to work on 3128. So you need to tell the browser to connect to net through proxy by giving its ip address and the port 8000 that you have configured it to work on. It will not work by default. Another thing to ask, is your squid running in transparent mode? If yes then forget the browser settings. Also search the LQ forums for transparent squid.
You need not set the second rule. For web browsing port 80 is used. So you need to accept the connections originating from port 80 that you already have done.

Using a firewall and Nat does increase security alot but protecting against hacking is never 100% possible, effectively all you can do is make it as hard as you can and deter hackers as much as possible, you can use certain techniques like sacrifical machines that log all access to them and then block the associated ips as such... but I'd never ever say any machine connected to the internet is fully protected against hacking .